Quantum hacking: experimental demonstration of time-shift attack against practical 

quantum key distribution systems 
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Quantum key distribution (QKD) systems can send signals over more than 100 km standard 
optical fiber and are widely believed to be secure. Here, we show experimentally for the first time a 
technologically feasible attack, namely the time-shift attack, against a commercial QKD system. Our 
result shows that, contrary to popular belief, an eavesdropper, Eve, has a non-negligible probability 
(~4%) to break the security of the system. Eve's success is due to the well-known detection efficiency 
loophole in the experimental testing of Bell inequalities. Therefore, the detection efficiency loophole 
plays a key role not only in fundamental physics, but also in technological applications such as QKD. 

PACS numbers: 03.67.Dd 
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Quantum key distribution (QKD) 0, 0] provides a 
method to share a secret key between legitimate users 
called "Alice" (the sender) and "Bob" (the receiver). The 
unconditional security of QKD has ben rigorously proved 
based on the laws of physics 3,4]. Even imperfect practi- 
cal QKD systems have also been proved secure assuming 
some semi- realistic models 0, @] . The decoy method 0| 
was proposed to dramatically improve the performance 
of a practical QKD system. Our group has implemented 
the decoy method experimentally over 15km and 60km of 
telecom fibers Q. Incidentally, QKD has found real- life 
applications in a recent Swiss election [§]. 

Recently, there has been a lot of theoretical interest on 
the connection between the security of QKD and funda- 
mental physical principles such as the violation of Bell's 
inequality and the no-signaling constraint [10( on space- 
like observables. An ultimate goal, which has not yet 
been achieved [TJ], is to construct a device-independent 
security proof. As is well-known, the experimental test- 
ing of Bell's inequality often suffers from the detection 
efficiency loophole. A fair sampling assumption may save 
the day. However, as we will demonstrate below, rather 
surprisingly, the low detection efficiency of practical de- 
tectors not only violates the fair sampling assumption 
that would be needed in security proofs based on Bell- 
inequality violation, but also gives Eve (an eavesdropper) 
a powerful handle to break the security of a practical 
QKD system. Therefore, the detection efficiency loop- 
hole is of both conceptual and practical interest. 

Our work is an illustration of general physical limita- 
tions, rather than a particular technological weakness. 
Indeed, a practical QKD system often includes two or 
more detectors. It is virtually impossible to manufac- 
ture identical detectors in practice. As a result, the two 
detectors of the same QKD system will exhibit different 
detection efficiencies as functions of either one or a com- 
bination of variables in the time, frequency, polarization, 
and/or spatial domains. If Eve manipulates a signal in 



these variables, she could effectively exploit the detection 
efficiency loophole to break the security of a QKD sys- 
tem. In our experiment, we consider Eve's manipulation 
of the time variable. Our work demonstrates the gen- 
eral problem of detection efficiency loophole in practical 
QKD systems. 

Recently, quantum hacking has attracted much scien- 
tific and popular attention 12j. Makarov et al. proposed 
a faked-state attack and studied its feasibility with their 
home-made QKD system 13, [13]. Unfortunately, this 



attack is an intercept-resend attack which is hard to im- 
plement in practice. Therefore, this attack has never 
been successfully demonstrated in experiments. Kim et 
al. simulated an entanglement probe attack on the BB84 
protocol [15]. However, it serves to demonstrate the secu- 
rity rather than the insecurity of QKD systems because 
this attack has already been considered in standard se- 
curity proofs. A study of the information leakage due to 
public announcement of the timing information by Bob 
was reported However, Bob does not need to make 
such an announcement in practice. In summary, despite 
numerous efforts, up till now, no one has even come close 
to hacking successfully a practical QKD system, let alone 
a commercial one. 

Here, we present the first experimental demonstration 
of a successful hacking against a commercial QKD sys- 
tem. It is highly surprising to break a well-designed com- 
mercial QKD system with only current technology. Our 
work shows clearly the slippery nature of QKD [1 71 ] and 
forces us to re-examine the security of practical QKD 
systems and its applications in real-life. The attack we 
use is the time-shift attack proposed by us in (l8| . The 
time-shift attack is simple to implement as it does not 
involve any measurement or state preparation by Eve. 

The time-shift attack exploits the detection efficiency 
mismatch between the two detectors in a QKD system in 
the time domain. In QKD security proofs (e.g. ref.[l|), 
a standard assumption is that the detection efficiencies 
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(b)A conceptual schematic of Eve's 
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FIG. 1: Conceptual drawings. 



for the bits "0" and "1" are equal. However, its validity 



is questionable ID, 14 , 



18l | . For example, a typical time- 
dependence of the detection efficiency of a practical fiber- 
based QKD system (with InGaAs avalanche photo diodes 
(APDs) of telecom wavelength operating at gated Geiger 
mode) is illustrated in Fig. 1(a) Note that, at time A the 
detection efficiency for the bit "0" is much higher than 
that for the bit "1" , while the opposite case can be found 
at B. The detection efficiency mismatch can only be 
confidently removed if the efficiencies are constant in time 
domain. We remark that even non-gated single-photon 
detectors such as Si APDs exhibit detection efficiency 
mismatch due to intrinsic dead-time (l9j . 

The idea of the time-shift attack is simple. Eve can 
shift the arrival time of each signal to either A or B 
randomly with probabilities pa and pg = 1 — pa respec- 
tively. Eve can carefully choose pa to keep the number 
of Bob's detection events of "0"s and "l"s equal. Since 
Bob's measurement result will be biased towards "0" or 
"1" depending on the time shift (A or B), Eve can "steal" 
information without alerting Alice or Bob. A conceptual 
setup to launch the time-shift attack is shown in Fig. 
1(b) Eve can choose to connect Alice and Bob through 



either a longer arm or a shorter arm so as to shift the 
signal around time A (a negative shift), or around time 
B (a positive shift). 

The success of our demonstration is a big surprise be- 
cause in our experiment, Eve cannot perform a quan- 
tum non-demolition (QND) measurement on the photon 
number or compensate any loss introduced by the attack, 
while Eve can have arbitrarily advanced technology in se- 
curity proofs. In other words, our practical Eve is much 
weaker than the eavesdropper in security proofs. It is sur- 
prising to see an attack which can be implemented with 
current technology (e.g., the time-shift attack) can do 
better than even the QND attack, which is significantly 
beyond current technology. 

The experiment is performed on top of a modified 
commercial ID-500 QKD setup [2(| manufactured by id 
Quantique. The schematic of our experimental setup is 
shown in Fig. [2] 

The crucial issues in the experiment are the activation 
times of the two detectors (APDs in Fig. [2]). The com- 
mercial QKD system has a built-in calibration program 
which sets the activation time of each detector indepen- 
dently. The activation times of the two detectors differ 
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FIG. 2: The schematic of experimental demonstration of the 
time-shift attack. Inside Jr. Bob/ Jr. Alice: components 
in Bob/ Alice's package of id Quantique QKD system. Our 
modifications: LD: narrow pulse laser diode; OVDL: opti- 
cal variable delay line; DCF: dispersion compensating fiber. 
Original QKD system: APD: avalanche photon diode; $a/b : 
phase modulator; PBS: polarizing beam splitter; PD: classical 
photo detector; DL: delay line; FM: faraday mirror. 



slightly due to the discrepancies in the lengths of the 
fibers connecting them. Ideally, to minimize the detec- 
tion efficiency mismatch, the difference of the activation 
times should take a constant value. However, at times 
the difference in the activation times as set by the built-in 
calibration program deviates from this value, suggesting 
a larger efficiency mismatch. We observed the maximum 
value of the deviations as A ~ lOOps. To get statistics of 
this deviation, we ran the built-in calibration program for 
2844 times, during which the deviation reaches A for 106 
times. This is, the detection efficiency mismatch reaches 
its maximum value with a probability of ~4%. 

After the calibration of the activation times, we use the 
optical variable delay line (OVDL in Fig. [2]) to manually 
shift the arrival time of the signals, looking for instants 
that show large efficiency mismatch. 

There are several challenges in this experiment. In our 
setup, the gating window for the detectors (APDs in Fig. 
[2]) is ^500ps, which is close to the laser pulse width. This 
will "blur" the efficiency mismatch. However, the com- 
mercial QKD system is not immune from the time-shift 
attack as Eve can simply apply standard pulse compres- 
sion technique to the bright pulses sent from Bob to Alice 
in the channel (e.g. [2l[). In our experiment, we replaced 
the original laser source by a PicoQuant laser diode (LD 
in Fig. [2]) with pulse width ^lOOps, which is eq uivalent 
to the compression scheme mentioned above [22j. 

Another challenge is the chromatic dispersion in the 
fiber which broadens the laser pulses. We thus installed 
~ 2 km dispersion compensating fiber (DCF in Fig. ^ . 
Ideally, Eve can pre-chirp the bright pulses that are sent 
from Bob to Alice. Note that both the pre-chirping and 
pulse compression can be done on the bright pulses from 
Bob to Alice without touching the quantum signal sent 
from Alice to Bob. Therefore, neither process would in- 
crease the channel loss when Alice sends quantum signals 
to Bob. We thus view the dispersion compensating fiber 
(DCF in Fig. as part of Alice's local apparatus. 

A third challenge is the optimization of the attack. 
Naively, Eve could simply select large shifts as they 
would definitely provide substantial intrinsic detection ef- 
ficiency mismatches. However, they may be suboptimal 
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FIG. 3: Efficiencies of the two detectors versus time shifts. 
Inset: the mismatch of detectors efficiencies (defined as 
max( j 1 , ^)). The peak efficiencies of detectors are slightly 
different, suggesting the detection efficiency has slightly 
drifted since the factory setting. The data size for time 
shifts with large detection efficiency mismatch (-250ps, - 
200ps, 500ps, 600ps, and 650ps) is chosen to be 20.97Mbit 
to acquire accurate mismatch, while the data size for other 
shifts is chosen to be 1.05Mbit to speed up the experiment. 



for the attack because their low intrinsic detection effi- 
ciencies make the dark count significant, increasing the 
quantum bit error rate (QBER) and consequently the 
cost of the error correction. Therefore the task of choos- 
ing the shifts is non-trivial. The time-shift attack will 
introduce additional loss as the signals are shifted to the 
low-efficiency region. Nonetheless, since Alice and Bob's 
channel may not be a straight line and there may be ad- 
ditional loss due to components such as optical switches, 
in practice Eve could lower the channel loss by for exam- 
ple replacing existing channel with a better one without 
alerting Alice and Bob. So, the power of time-shift attack 
may be stronger than what one naively thinks. 

We demonstrated the time-shift attack in the following 
way: first, the activation times of detectors were deter- 
mined by the built-in program; second, the arrival times 
of the signals were shifted at a step of 50 ps (a narrower 
step was not necessary as the pulse width was ~100 ps); 
third, at each shifted time, Alice and Bob exchanged key 
at an average photon number (at Alice's output) of 0.1; 
fourth, Bob calculated the counts of each detector and 
the error rates. The entire experiment after each calibra- 
tion spanned ~15 minutes. 

In real attack Eve should apply an alternative tech- 
nique to obtain the efficiency mismatch as she has no 
access to Bob's apparatus [18j : she can gradually shift 
a small subset of the signals and set them to or 1 and 
deduce the amount of the mismatch from Bob's detection 
announcement. Our experimental results show that the 
mismatch is stable throughout the 15-min span of our 
experiment. Therefore Eve has sufficient time to obtain 
the mismatch information and launch her attack. 

The experimentally measured detector efficiencies are 
shown in Fig. [3] for the case where the deviation in ac- 
tivation times takes the maximal value Ai m . It shows 
substantial detection efficiency mismatch. In particular, 
two shifts with large mismatches are found as in Table I. 



The security of the QKD system is analyzed in the 
following way: one can estimate an upper bound K\j of 
the key length given the efficiency mismatch known by 
Eve and a lower bound ignoring the time-shift attack 
(as Alice and Bob cannot detect the attack). If the upper 
bound is less than the lower bound (i.e., > K\j ), 
there must be some information leaked to Eve unknown 
to Alice or Bob. 

We consider that Alice sends N bits to Bob, among 
which the same basis are used for N bits and Bob de- 
tects NQ signals (Q is the overall gain). Here we assume 
that infinite decoy state protocol and one-way classical 
communications for post-processing are used. 

Lower bound: The error correction will consume 



r EC = NQf(E)H 2 (E) 



(1) 



bits, where E is the overall QBER, H2(x) is the standard 
binary Shannon entropy function, f(x) is the error cor- 
rection inefficiency [231] . The net key length ignoring the 
time-shift attack is thus [B|, 24 , 2^, |26| 



-rEC+N{Q 1 [l-H 2 {e 1 )]+Q \ 



(2) 



where Qi and ej are the gain and the QBER for the 
signals with i photons sent by Alice. 

Upper bound: an upper bound is given by [27rj 
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£ [Pr{Z 2 =j|Z 1= i} 
Pr{Zi = z} • H 2 {Pr{X = Q\Z X = i, Z 2 = j})} (3) 



where X, Z±, and Z 2 are classical random variables rep- 
resenting Alice's initial bit, Eve's choice of the time shift 
for each bit, and the basis information, respectively. 



TABLE I: Experimental results. 
(a)The number of detections. 
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-250 10992 1541 20,966,400 
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1231 4059 20,966,400 



(b)The number of detections given that Alice and Bob use 
the same basis. TV = 10,481,280 bits. Y is Bob's bit value. 
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(c)Parameters for computing the key length. 
Theoretical Experimental 
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The upper bound and the lower bound of the key rate 
can then be calculated from Eqs. ([I])-© using data in Ta- 



ble I. The calculation results are shown in Table 1(c) Y 



is determined experimentally. Note that no double clicks 
were observed in our experiment. The fact that > K\j 
clearly indicates the success of the attack [28 1. 



We conclude with a few general lessons. First, counter- 
measures often exist for known attacks. For instance, the 
"four-state measurement" proposal (which suggests that 
for phase-encoding BB84 protocol, Bob's phase modula- 
tion is randomly selected from a set of four values instead 
of two values) can shield the time-shift attack. Second, 
the implementation of a counter-measure may open up 
new security loopholes. For instance, the four-state mea- 
surement scheme will be vulnerable to combined large 
pulse [2^ | and time-shift attack. Once an attack is known, 
the prevention is usually easy. However, we have a third 
lesson: unanticipated attacks are most dangerous. 

The time-shift attack is demonstrated on a bi- 
directional system. However, it is a threat to a general 
class of QKD systems (including uni-directional setup) 
and protocols (eg. 0). Moreover, we are concerned with 
the general physical limitations of detection efficiency 
loophole, rather than a specific technological problem. 
The time-shift attack can be easily generalized to spatial- 
, spectral-, and polarization-shift attack exploiting the 
efficiency mismatch in the corresponding domains. On 
the practical side, our work highlights the significance of 
side channel attacks [13, [HI in QKD. Historically, the 
existence of a side-channel attack went back to the first 
QKD experiment, which was unconditionally secure to 
any eavesdropper who happens to be deaf! 

In summary, we report the first experimental demon- 
stration of a technologically feasible attack against a com- 
mercial QKD system. Our results clearly show that even 
QKD systems built by trustworthy manufacturers may 
contain subtle flaws that will allow Eve to break it with 
current technologies. The success of the attack highlights 
the importance to battle-test practical QKD systems and 
work on security proofs with testable assumptions. It is 
remarkable that the detection efficiency loophole plays 
a key role in both fundamental physics and technologi- 
cal applications (e.g., QKD systems) [3l[. How to close 
the detection efficiency loophole and side-channel attacks 
will be an important subject for future investigation. 
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